Data packets generally comprise the underlying data to be communicated, surrounded by one or more layers of header and footer information to enable forwarding the packet from end user to end user. Initially, a header identifying the application is appended to the data, i.e. the application layer. Thereafter, a header identifying the ports and communication protocol is appended, i.e. the transport layer. The network layer identifies the source and destination devices by their network addresses, such as an IP address. Lastly, the immediate link protocol information is included in the data link layer.
For internet applications the network layer comprises the IP address of the source and destination devices. Proper transmission requires that these addresses be unique. However, their number is limited. For example, there are at most 4 billion IP addresses. With the proliferation of the Internet this number is clearly insufficient. To reduce the demand on IP addresses, devices connected through a gateway, such as a router, to the Internet are not necessarily given Internet unique IP addresses. For example, the devices within a local area network ("LAN") with access to the Internet through a router will have IP addresses which are unique as between devices in the LAN, but not unique as between all devices on the Internet.
To facilitate the following discussion we will refer to a network device with a non unique network address as a home network device. The home network device may be part of an intranet, or it may be a stand-alone computer with access to an internet, such as through an internet service provider. The key is that the home network device does not have a unique network address vis a vis the internet to which it has access.
As for intranet communication, each home network device has a unique IP address. Therefore the home network devices have no difficulty identifying each other and communicating. However, since its network address is not unique with respect to other devices on the Internet its packets cannot be forwarded directly to their respective destinations. Rather, a home network device that wants to forward a packet to a destination device on the Internet initially includes its non-unique address SA in the network layer header and forwards the packet to the router. The router removes the address SA and inserts its own Internet unique address RSA, instead. The router records the source address SA, the destination address DA, the source port SP, the destination port DP and the protocol type PT from the network and transport layers of the packet and then forwards the packet to its destination over the internet.
Any response from the destination will include RSA as its DA' and DA, SP, DP and PT as SA', DP', SP' and PT, respectively. The router will recognize this information as a response from the original destination, now acting as a source, to the original source, now acting as a destination. The router will then replace its IP address RSA from the DA' in the network layer for the non-unique address SA of the original source and forward the response to the appropriate network device.
While the above-mentioned scheme addresses the concern of limited IP addresses, it remains limited in addressing several applications. First, it does not enable a source to send a packet through the Internet to a home network device, unless it is responding to a packet that originated from that home network device. The source simply has no means for identifying the home network device. The source can only identify the router connecting the home network device to the internet. Yet, the router has no means for determining which home network device is the intended recipient of the packet.
A second application where the above-mentioned scheme is at best inefficient, is voice communication over the Internet using a protocol such as ITU H.323, well known in the art. In accordance with the ITU H.323 protocol, the source network device inserts its IP address among the data bits of the IP packet, referred to as the payload as opposed to the network layer header. Clearly, where the source device is a home network device the source address that would be inserted into the payload would be a non-unique address which may not appear outside of the home network. Thus the home network device could not engage in voice communications in accordance with ITU H.323. While it is possible to instruct the router to examine the payload, remove the non-unique network address and insert its own unique network address, this would involve many operations that would overload the router. In addition, the router would have to apply the same operations in reverse when it receives a response from the internet device to the home network device. Moreover, the router would have to be able to handle similar operations for each of a variety of protocols with similar demands, such as the file transfer protocol ("FTP").
A third application where the above-mentioned scheme is limited in enabling access between home network devices and devices on the Internet is the IP security protocol. IP security is a scheme for authenticating the communicating devices. In general, a device employing IP security performs a checksum operation on its IP header and the result is appended as a header to the IP header. The destination device performs a similar checksum operation on the IP header of the received packet and compares the result with the IP security header.
This will not work, however, when the IP packet was forwarded from a home network device to an Internet device in accordance with the above-mentioned scheme. In this scheme the original source address of the packet on which the IP security header depends is replaced with the router source address. Thus when the destination device receives the packet and performs the checksum operation the IP security header will not match. As with voice communications, to employ the router to replace the IP security header is too complicated. Indeed, currently IP security is not used with home network devices.
Accordingly, a method for network address translation not constrained by the aforementioned limitations is desirable and described below.